brodie@fps.mcw.edu (11/16/89)
I love DECUS. No where else in the world can you find "neat" hints and tips from other users (AND from DEC :-). I recently attended the Anaheim Symposium, where I picked up this neat little tidbit-- SECURITY has always been a hot topic, especially for VAX systems. One thing that has been brought up in the past, is the need for a "password checker" utility, that can go through the UAF file and tell you (the systems manager, supposedly) what people are using STUPID passwords (prime example, password=their_username). YOU ALL HAVE THIS UTILITY ALREADY --------------------------------- For all of you that are on VMS version 5, think back to your upgrade procedure. Just before the upgrade really gets going, there is a documented step, in which the VMSINSTAL procedure being run goes ahead and "checks" the passwords for the systems accounts (SYSTEM,FIELD,SYSTEST, etc). to make sure that they do not have "weak" or null passwords. I had always thought that that was a specialized utility, that only checks those accounts. WRONG! On the VMS Version 5.0 distribution tape, in the saveset VMS050.A, there are two handy files-- VMS$SECUREPWD.COM and VMS$SECUREPWD.EXE Gee, guess what these do?! VMS$SECUREPWD.EXE is a program that takes one parameter (the username) and "checks" the password to see if it is "VALID" or "WEAK" (easily guessable). The program does this WITHOUT trying to log into the account, which keeps the user from seeing that someone (the system manager) "tried" to log in unsuccessfully. Note that the program does NOT tell you WHICH password it is, but suffice it to say that if a user account comes up with a "WEAK" status, you should probably force the user to change their password. VMS$SECUREPWD.COM is the command file that runs VMS$SECUREPWD.EXE on the system accounts, and is set up to be run in the context of a system install or an upgrade. However, you can easily modify your OWN copy to do the WHOLE uaf file, and not just one (small group of) account(s). Here's how it works. 0. just for kicks, BACKUP your UAF file to a secure location or tape. (make a DCL that does the following) 1. define a foreign command for vms$securepwd.exe (let's call it "validate") do NOT install this image. Rather, keep it in a PROTECTED system directory. You may even want to rename it to something like "XMAR11.EXE" or some other unobvious name... 2. use your dcl know-how to get a UAF listing, and read one username at a time from this list. 3. for each username, do the following $ validate check 'username/guess this assumes, of course, that the symbol "username" is defined as one of your valid usernames.... 4. For each username, vms$securepwd.exe only takes a second or two. Once done, it will return a logical name (symbol), "VMS$SECURE" that has one of the following values "VALID" password is not easily guessable "WEAK" password too easy to guess (most common, pw=username) "DISUSER" account is disabled "NONEXIST" account does not exist That's it, folks! Due to the licensing/rights of VMS$SECUREPWD.COM, I cannot post it here. However, you all have your OWN copies on your distribution tapes, and you are all strictly on your own as far as running it. note-- get a GOOD look at VMS$SECUREPWD.COM to verify what it is doing! You also need a somewhat privileged account to run it. Additionally, there is one last qualifier called /EXCLUDE. The /EXCLUDE list is a place where you can give a list of OTHER passwords that you do not want people using (for example, the initials of your company, the name of your company, and other easy-to-guess passwords specific to your site/location) This qualifier is placed at the end of the command, and accepts a list. e.g., $ validate check 'username/guess/exclude=(MEDCOL,VAXVMS,COKE,PEPSI) Well, that's it. have fun. *DISCLAIMER*: The opinions in this article are my own, and only mine. No guarantee is given on the above procedure, you are strictly on your own. Additionally, you may want to check with your local DEC customer support rep before running this program. I have provided this information as a "useful tool" on a "you have it, you may want to USE it but if it blows up, don't come crying to me" basis. VMS$SECUREPWD.COM and VMS$SECUREPWD.EXE are both copyrights of DIGITAL EQUIPMENT CORP and they will get extremely cranky if you give copies of these utilities to anyone. That's why I did not post my OWN utility-- you're gonna all have to write your own. by the way, I ran this on our uaf of 324 user accounts. 7 of them showed up as "weak", and 5 of those 7 had the PW=USERNAME combination. SHEESH. ------------------------------------------------------------------------------- Kent C. Brodie - Systems Manager brodie@mcw.edu Medical College of Wisconsin +1 414 778 4500 "Gee, I hope these are the right coordinates..." -Chief O'Brian; STTNG